To my surprise that argument also went down well with the Heads of Information Security and of overall Risk in the audience. I therefore promised to publish the script: unchanged. I should perhaps add that I spoke after a splendid introduction by Neira Jones. She began with the CISCO take on the evolving threats as we move from fixed to mobile communication, the interconnectedness of everything and the world of Dirk Gently's Holistic Detective Agency.
After a panel discussion I took up the thread ...
My first main point is that most information security professionals would not understand a business case if it bit them on the bum. In consequence they blether about compliance and attacks without putting the risks into context. I am a fan of using trusted computing methodologies to strip out layers of overhead so as to deliver better security at lower cost, but that is not the prime objective.
What are the objectives
• Customer Confidence
• Board Confidence
• Staff Confidence
• Transaction Margin
• Sustainable Net Profit
The objective is to help the organisation to make more money by getting more customers to do more and more profitable business, on-line if that has better margins, net of security costs.
That also entails being seen to have more trustworthy people processes.
I want to begin by being realistic about current consumer and business confidence and attitudes to risk.
We face a slow 1930s style economic recovery after a series of crashes akin to those of the late 1920s. Until the onset of re-armament, recovery in the 1930s was driven by customers seeking better value. Their disposable incomes recovered slowly, if at all. Today our after-tax disposable incomes are again falling in real terms. They are likely to continue to do so for some years. The growth in demand over the Internet is driven by those seeking more for less: whether they are your customers or your directors and investors.
Meanwhile confidence in the ability of the Internet community to deliver has been badly dented by a series of public scandals reinforced by personal experience.
Few may be really concerned over whether GCHQ or the NSA has access to their e-mails or phone records. Few may fully appreciate that the business models of major players like Google, Facebook or the Mobile Phone Companies, entail selling their personal information to almost anyone who will pay. Few may understand that allying these business models to Government open data policies and the vulnerability of most customer databases, means that criminals can readily acquire all they need to obtain credentials in the names of almost all those worth impersonating.
Almost all, however, receive a flow of helpful e-mails, texts and phone calls purporting to come from their bank or Internet Service Provider. Most are aware of the campaigns to persuade them to use security products that give as much protection against the threats of today as a leaky condom gives against sexually transmitted diseases. Those with children or grandchildren fear theirs are among the one in five who have already been abused and bullied over the social networking sites they use.
At the business level, most organisations, large or small, have already been victimised, over a quarter of them within the past twelve months. In consequence the proportion of those willing to transact on line has been static for some years. Almost all UK businesses, large and small, have websites. Barely a third are willing to transact on-line.
Hence the objectives. Not necessarily in order of priority.
You need to give your customers the confidence to deal with YOU on-line and that includes giving them the confidence that is really is YOU that they are dealing with. But first you need to give your Board a level of confidence that two thirds of their peers do not have.
Directors are disproportionately targets of fraud and impersonation. UK-based attackers commonly use the details filed with Companies House to select victims worth serious effort. The services you provide to YOUR board members to help them secure themselves, including their smart phones and home systems, are therefore critical to giving them the confidence to invest more in the on-line products and services you want to use in order to secure the rest of the business.
And you cannot give your directors serious confidence in the security of the organisation unless you have done the same for your staff as a whole, so that their on-line behaviour does not present multiple points of weakness for penetrating your systems.
But the objective is not just the "confidence" to do more on-line. It is to ensure that it is profitable business. The cost of the additional security must not be more than the value of the additional transactions. More-over it is not just the transactions that are valuable. The trigger for a switch to hardware encryption across all user laptops and smart phones on the part of one global player was when their legal counsel lost his laptop, with files on all their current legal and regulatory cases.
Who needs to worry about hackers or the failure of junior staff to abide with complex security policies when those at the top can be so vulnerable?
That leads me to the need to put the "real" risks into perspective.
Putting the risks into perspective
• An over ambitious chief executive
• Insiders (from compliance officers to cleaners)
• Digititis (crashing networks, systems etc.)
• Mother nature (crashing power supplies, networks etc.)
• Regulatory overheads driving business offshore
• Intrusive Security driving away customers
• Losses from fraud and cyber-crime
No-one has done destroyed as much shareholder value as much as Adam Applegarth, who took Northern Rock into 125% mortgages or Steve Crawshaw, who took Bradford & Bingley into self-certified loans. Meanwhile Sir Fred Godwin was busy buying high risk asset portfolios even before he outbid Barclays for the can of worms that was ABN Amro. By far the biggest risk to any organisation is a chief executive who has lost touch with reality, supported by a board of sycophants.
Then come the other insiders. Almost all major frauds and most serious losses of intellectual property, whether research databases, development plans or marketing databases, involve insiders, whether actively corrupt or merely careless, from compliance officers and IT security itself, through help desks and dealers to the cleaners who have the run of the building at night.
More systems are vulnerable to digititis, finger trouble during supposedly routine upgrades, including of security, than are brought down by external forces, whether power failure, fire or flood, let alone hacking. Recent publicity for system outages (however brief) on the part of Google and Amazon, Apple and Microsoft, let alone ATM and Banking networks, have concentrated minds on resilience as much as security. How many of you now carry more cash lest your cards stop working?
Few calculations of the cost of compliance include the business lost because of tick box complexity. The British Retail Consortium survey into the cost of e-Crime last year indicated that barely a third of the cost was actual losses from fraud and theft. Over half was legitimate business rejected through on-line fraud prevention and security measures.
Security as part of marketing strategy
• We value you as a customer
• We are serious about customer service
• How can we help you? firstname.lastname@example.org
• Notification of attacks not breaches
• Good Citizenship & Partnership Policing
The reported losses from e-Crime are aften piddling compared to what is spent on security, let alone what is written off as bad debts. But the biggest cost is the lost business from those who did not transact with you because they:
• got lost, fed-up or timed out in the entrails of your on-line security system,
• got confused by all the security do's and don'ts and decided it was safer not to
• took the advice on strong passwords seriously and cannot remember what it was
• only transact with those they trust, like Amazon, John Lewis or Tesco
• or because your security clashed with theirs
We have all read the hype on the growth of e-commerce. Over two thirds of the UK population may have bought on-line "more than never", but barely a quarter does so regularly - counting "more than once a month on average" as regular.
We about to be subjected to another round of awareness campaigns designed to frighten potential customers into buying more scareware or into visiting only the websites of those market leaders who have been able to conceal their insecurity. But your customers, let alone your directors, are confused and frightened enough already. The scale of that confusion and fear is indicated by the £billion or so of repayments now due from the mis-selling of impersonation protection policies by UK banks.
If you want your customers to transact via you, not via Amazon or Paypal, you need to support, and be seen to support, campaigns that give realistic advice, with links to sources of help and redress that give your customers the feeling that if they report problems, some-one actually might take action and perhaps even help them. Your need to give those customers the warm glow of revenge they feel when they think that their report to email@example.com might actually help convict a fraudster or pederast, or help clean up the Internet by putting a criminal registrar who supplies domain names without checking the details out of business.
When I forward a possible scam to abuse@Paypal, I like the e-mail that comes back saying "thank you for reporting this, you were correct, it is a scam, your report will help us to protect you and others in the future". I know that all they have done is collated my report with all the other reports of that particular scam and sent me an automated reply. But it gives me some hope that they might actually be doing something.
When those collations are indeed used to help action under civil law to remove the innocent carrier defence and secure help from Internet service Providers and Domain Name Registrars to take-out groups of predators you should make a point of telling your customers that their reports have helped. You should also measure the response so that your Finance Director can share a warm glow that he might even remember when you next face him during budget negotiations.
It is also important to make it easier for your customers to do business with you securely than insecurely.
The on-line security routines of the banks may look impressive but keeping track of multiple pin-numbers, passwords and memorable phrases is impractical unless you compromise security by writing them down or saving them inside the system. As soon as I got my new smart phone I switched on the tracking device. I like the idea of asking those I deal with to register the devices from which I expect to contact them and the location from I expect to use them so that I can use a simple pass code when going on-line from home but have strictly limited use away from home without passing robust security checks. In the corporate context, perhaps with encryption also secured to the device, you can even live with otherwise seriously counter-productive tick box breach notification regimes in reasonable confidence that no actual compromise has taken place.
Your routines for handling abuse, so that it is easy to report attempts to impersonate your organisation or defraud your customers, should be a core part of your brand positioning, helping turn potential victims into loyal customers. Neglect them and you are telling your customers that you do not care. The routines you use to train your staff and contractors on how to help protect the organisation, its customers, themselves and their families should similarly help reinforce customer loyalty at a time of increased competition for profitable repeat business.
Here I would like to make a few points on the value to your brand of being an active participant in collective good citizenship activities, particularly those awareness campaigns that are linked to serious victim support programmes. The "brand" message is that not only do you look after yourselves and your customers, you also help look after those who are unfortunate enough to be the customers of your competitors.
You should also be active in trying to ensure that regulation is fit for purposes, switching the focus from breach notification to what is done when a compromise is suspected. That entails notifying attacks to those who will collate the information for collective response. Being active alongside high value customers and business partners in those exercises that are for real should, once again, be part of well-targeted brand management.
An example was when a major bank was aware that a group of high value customers was being selectively defrauded but could find no evidence of a breach: whether technology or people. It needed to find out whether the problem was specific to its customers or shared with its competitors: e.g. some-one had created a "Luxury Cruises R. US" website to harvest the details of high net worth individuals. The answer was to work with others on a Silver Surfers Awareness Campaign to provide cover for co-operation without admitting its own concerns.
I understand that the Experian service for those with suspected compromises has had over 2,000 corporate clients, none of whom subsequently notified any of the incidents on which they sought help. One of its components is the use of the Garlik search engine to find who is selling information on your customers over the Dark Side of the Internet, partly so that the potential victims can be quietly contacted and helped, but also so that the supply chains can be identified and broken.
I will conclude with the case for having staff inside the new police volunteer support programmes so that, if you need to work with law enforcement, your processes for investigation or providing material of evidential use dovetail with theirs. There is a similar case for participating in the new cyber-security military reserve programmes, particularly those for rapid response without staff leaving their desks - because when there is a major problem with, for example, ATM networks and payment clearance , you may not otherwise know, whether it was digititis, criminal activity or the start of World War 3 - until too late.
Giving publicity to your support for such collective activity is a good way of not only sharing the cost and building allies but also promoting your image as taking the security of your customers and partners seriously and therefore being an organisation they can be confident of working with in an age of fear, uncertainty and caution.
Thank you for listening.